February 7, 2026

casbshadow-ittutorial

Shadow IT Discovery with CASB

A step-by-step tutorial for using CASB to discover, classify, and remediate shadow IT in your organization — from log ingestion to policy enforcement.

A typical CASB discovery scan at a 3,000-person company finds 1,000-1,500 cloud applications. IT usually sanctions about 100-120 of them. The rest includes dozens of file-sharing services, AI tools ingesting corporate data, and the occasional cryptocurrency exchange. The gap between what IT thinks employees are using and what they are actually using is staggering. CASB is how you close that gap.

This walkthrough covers the end-to-end process of using CASB for shadow IT discovery, from initial log ingestion through classification, risk scoring, and remediation. The concepts apply to any CASB vendor, though the UI details will vary.

What you need before you start

A CASB platform with cloud app discovery enabled (Netskope, Palo Alto, Zscaler, or Microsoft Defender for Cloud Apps all work)
Access to firewall or proxy logs — at least 30 days of historical data
A cloud app catalog subscription (most CASB vendors include one; it maps IP addresses and domains to known SaaS applications)
An internal stakeholder from IT governance or procurement who will own remediation decisions

Step 1: Ingest traffic logs

CASB discovery starts with traffic data. There are two approaches: log-based (upload firewall/proxy logs for offline analysis) and inline (the CASB inspects traffic in real time because it is already in the data path as part of your SSE deployment). Inline is better because it is continuous and catches traffic that firewalls may not log. But log-based discovery is a good starting point if you have not deployed SSE yet.

Navigate to your CASB platform's cloud discovery or shadow IT module
If using log upload: export logs from your firewall (Palo Alto, Fortinet, Check Point) or proxy (Zscaler, Squid, Blue Coat) in the vendor's supported format
Upload the log files or configure a syslog feed for continuous ingestion
Wait for processing — log-based analysis typically takes 15–60 minutes for the first batch
If using inline: verify that your SSE deployment is inspecting traffic for all user groups you want to assess

Start with at least 30 days of logs. Shorter windows miss applications that are used monthly (expense reports, quarterly planning tools, tax software). Sixty days is better.

Step 2: Review the application inventory

Once logs are processed, the CASB will present a catalog of discovered cloud applications. This is where the shock usually hits. A typical 2,000-person organization discovers 900–1,500 distinct cloud applications on first scan. Do not panic — most of these have fewer than five users and many are embedded services (CDNs, analytics trackers) rather than user-facing apps.

Focus your review on applications that meet at least one of these criteria:

More than 10 active users
Classified as a file sharing or collaboration tool (data exposure risk)
Classified as a GenAI or machine learning tool (data leakage risk)
Hosted in a geography with data sovereignty concerns for your industry
No SOC 2 or ISO 27001 certification

Step 3: Apply risk scoring

Every CASB vendor provides a risk score for known cloud applications, typically based on factors like encryption in transit, encryption at rest, compliance certifications, data residency options, admin audit logging, and multi-factor authentication support. These scores are a starting point, not a final answer.

Review the vendor's default risk scoring criteria and adjust weights to match your organization's priorities (for example, a healthcare company may weight data residency higher than a tech startup)
Set a risk threshold — applications scoring below this threshold are flagged for review (a common starting point is 5 out of 10)
Export the list of high-risk applications with more than 10 users — this is your immediate action list
Cross-reference with your procurement system to identify which apps are sanctioned (approved), tolerated (known but not approved), or unsanctioned (unknown)

Do not auto-block everything below the risk threshold on day one. Shadow IT exists because people need to do their jobs. Blocking without offering an alternative creates friction and erodes trust in the security team.

Step 4: Classify and categorize

Group discovered applications into three buckets:

Category	Definition	Action
Sanctioned	Approved by IT, under contract, meets security requirements	Allow and monitor
Tolerated	Known to IT, low risk, no contract but not worth blocking	Allow with coaching (show users a notification that the app is not officially supported)
Unsanctioned	Unknown to IT, high risk, or duplicates a sanctioned tool	Block or redirect users to the sanctioned alternative

The tolerated category is the most important and the most often skipped. Not every shadow IT app needs to be blocked. If 200 people are using Canva for marketing graphics and it scores 7/10 on risk, the pragmatic move is to tolerate it while ensuring DLP policies cover it. Forcing users onto an inferior sanctioned alternative costs productivity and creates resentment.

Step 5: Create and enforce policies

With your classification in place, translate it into CASB policies:

Create a block policy for unsanctioned high-risk applications — display a custom block page that explains why and offers the sanctioned alternative
Create coaching policies for tolerated applications — display an inline notification on first access each day that says "This app is not officially supported. For file sharing, use [sanctioned app]."
Create DLP policies for sanctioned applications — monitor for sensitive data uploads and sharing outside the organization
Create alert policies for new applications — notify the security team when a previously unseen application appears with more than 5 users
Run all policies in monitor mode for one week before enforcing

The custom block page matters more than you think. A generic "This site is blocked" message generates helpdesk tickets. A block page that says "For project management, use Jira (link)" resolves the user's actual need.

Step 6: Report and iterate

Shadow IT discovery is not a one-time project. New applications appear every week as employees sign up for free trials and new tools go viral. Set up a monthly review cadence:

Monthly: Review newly discovered applications and classify them
Monthly: Check coaching policy effectiveness — are users migrating to sanctioned alternatives?
Quarterly: Re-score tolerated applications and decide whether to sanction or block
Quarterly: Report shadow IT trends to leadership (number of apps discovered, blocked, sanctioned)
Annually: Review risk scoring weights with the governance team

What good looks like

After 90 days of active CASB-based shadow IT management, you should see the number of unsanctioned high-risk applications trending toward zero, users self-correcting when coaching notifications appear, procurement engaging earlier in SaaS evaluation because they have visibility into what is being adopted, and a significant reduction in redundant tools (you will find three or four project management apps where one would suffice). Shadow IT will never reach zero, and it should not — it is a sign that your employees are solving problems. The goal is visibility and risk management, not total control.

Sources

Gartner, "Market Guide for Cloud Access Security Brokers" (2024) — gartner.com
Netskope, "What Is a CASB?" — netskope.com
Palo Alto Networks, "What Is Shadow IT?" — paloaltonetworks.com
Cisco, "What Is a Cloud Access Security Broker?" — cisco.com
Cloudflare, "What is a CASB?" — cloudflare.com/learning

Related on sase.cloud

CASB Deep Dive →Shadow IT Discovery Guide →GenAI Data Governance →

Get the next guide in your inbox

One email per publish. Unsubscribe anytime.

ShareLinkedIn X

Was this helpful?

← Previous

Zero Trust Is an Architecture, Not a Product

Next →

SASE Vendor News Q1 2026: Acquisitions, Launches, Shifts